Export limit exceeded: 13770 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 44243 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44243 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-10909 | 2 Drupal, Sensiolabs | 2 Drupal, Symfony | 2024-11-21 | 5.4 Medium |
| In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. | ||||
| CVE-2019-10905 | 1 Parsedown | 1 Parsedown | 2024-11-21 | N/A |
| Parsedown before 1.7.2, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script (already running on the affected page) executes the contents of any element with a specific class. This occurs because spaces are permitted in code block infostrings, which interferes with the intended behavior of a single class name beginning with the language- substring. | ||||
| CVE-2019-10904 | 2 Debian, Roundup-tracker | 2 Debian Linux, Roundup | 2024-11-21 | N/A |
| Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors. | ||||
| CVE-2019-10893 | 1 Centos-webpanel | 1 Centos Web Panel | 2024-11-21 | N/A |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version) and 0.9.8.753 (Pro) is vulnerable to Stored/Persistent XSS for Admin Email fields on the "CWP Settings > "Edit Settings" screen. By changing the email ID to any XSS Payload and clicking on Save Changes, the XSS Payload will execute. | ||||
| CVE-2019-10887 | 1 Salicru | 1 Slc-20-cube3\(5\) | 2024-11-21 | 6.1 Medium |
| A reflected HTML injection vulnerability on Salicru SLC-20-cube3(5) devices running firmware version cs121-SNMP v4.54.82.130611 allows remote attackers to inject arbitrary HTML elements via a /DataLog.csv?log= or /AlarmLog.csv?log= or /waitlog.cgi?name= or /chart.shtml?data= or /createlog.cgi?name= request. | ||||
| CVE-2019-10881 | 1 Xerox | 20 Altalink B8045, Altalink B8045 Firmware, Altalink B8055 and 17 more | 2024-11-21 | 9.8 Critical |
| Xerox AltaLink B8045/B8055/B8065/B8075/B8090, AltaLink C8030/C8035/C8045/C8055/C8070 with software releases before 103.xxx.030.32000 includes two accounts with weak hard-coded passwords which can be exploited and allow unauthorized access which cannot be disabled. | ||||
| CVE-2019-10864 | 1 Veronalabs | 1 Wp Statistics | 2024-11-21 | N/A |
| The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowing a remote attacker to inject arbitrary web script or HTML via the Referer header of a GET request. | ||||
| CVE-2019-10851 | 1 Computrols | 1 Computrols Building Automation Software | 2024-11-21 | N/A |
| Computrols CBAS 18.0.0 has hard-coded encryption keys. | ||||
| CVE-2019-10850 | 1 Computrols | 1 Computrols Building Automation Software | 2024-11-21 | N/A |
| Computrols CBAS 18.0.0 has Default Credentials. | ||||
| CVE-2019-10846 | 1 Computrols | 1 Computrols Building Automation System | 2024-11-21 | 6.1 Medium |
| Computrols CBAS 18.0.0 allows Unauthenticated Reflected Cross-Site Scripting vulnerabilities in the login page and password reset page via the username GET parameter. | ||||
| CVE-2019-10785 | 2 Debian, Linuxfoundation | 2 Debian Linux, Dojox | 2024-11-21 | 6.1 Medium |
| dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them. | ||||
| CVE-2019-10779 | 1 Gchq | 1 Stroom | 2024-11-21 | 6.1 Medium |
| All versions of stroom:stroom-app before 5.5.12 and all versions of the 6.0.0 branch before 6.0.25 are affected by Cross-site Scripting. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue commands to the Stroom UI via an XSS vulnerability to take full control of the Stroom UI on behalf of the logged-in user. | ||||
| CVE-2019-10772 | 1 Svg-sanitizer Project | 1 Svg-sanitizer | 2024-11-21 | 6.1 Medium |
| It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the "xlink:href" attribute due to mishandling of the xlink namespace by the sanitizer. | ||||
| CVE-2019-10771 | 1 Iobroker | 1 Iobroker.web | 2024-11-21 | 6.1 Medium |
| Characters in the GET url path are not properly escaped and can be reflected in the server response. | ||||
| CVE-2019-10770 | 1 Ratpack | 1 Ratpack | 2024-11-21 | 6.1 Medium |
| All versions of io.ratpack:ratpack-core from 0.9.10 inclusive and before 1.7.6 are vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode. | ||||
| CVE-2019-10756 | 1 Nodered | 1 Node-red-dashboard | 2024-11-21 | 5.4 Medium |
| It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the ui_notification node accepting raw HTML by default. | ||||
| CVE-2019-10715 | 1 Verodin | 1 Director | 2024-11-21 | 5.4 Medium |
| There is Stored XSS in Verodin Director 3.5.3.0 and earlier via input fields of certain tooltips, and on the Tags, Sequences, and Actors pages. | ||||
| CVE-2019-10712 | 1 Wago | 32 750-330, 750-330 Firmware, 750-352 and 29 more | 2024-11-21 | N/A |
| The Web-GUI on WAGO Series 750-88x (750-330, 750-352, 750-829, 750-831, 750-852, 750-880, 750-881, 750-882, 750-884, 750-885, 750-889) and Series 750-87x (750-830, 750-849, 750-871, 750-872, 750-873) devices has undocumented service access. | ||||
| CVE-2019-10694 | 1 Puppet | 1 Puppet Enterprise | 2024-11-21 | 9.8 Critical |
| The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1.9. | ||||
| CVE-2019-10688 | 1 Polycom | 2 Better Together Over Ethernet Connector, Unified Communications Software | 2024-11-21 | N/A |
| VVX products with software versions including and prior to, UCS 5.9.2 with Better Together over Ethernet Connector (BToE) application 3.9.1, use hard-coded credentials to establish connections between the host application and the device. | ||||